How MSSPs can cost effectively tackle ransomware

By Matthew Rhodes, Regional Director for MSSPs at Logpoint.

  • Tuesday, 8th August 2023 Posted 6 months ago in by Phil Alsop

Ransomware is now regarded as a top threat, with the commercialisation of these attacks via Ransomware-as-a-Service and nation state sponsored attacks seeing threat actors refine their attack capabilities. Following a brief hiatus earlier this year, attacks are now on the rise again, with the Mid-Year Cyber Threat Report recording almost 90million attacks during Q2 2023, up 74% compared to the first quarter.

It turns out the ransomware window ie the time from compromise to the deployment of ransomware and encryption of data has shrunk. It now stands at 4.5 days compared to 5 days in 2021. Meanwhile, attacker dwell time on networks has halved from 22 days to just 11. So, attackers are getting in, obtaining the data they want, and getting out much faster.

There’s also been a significant shift in ransomware practices. Rather than encrypting the data in exchange for a ransom, many operators are now stealing data and threatening to leak it, leading to a rise in extortion-based attacks. Reports suggest that non-encryption ransomware attacks were up 25% between April and June of this year and the attack against the MOVEit file sharing protocol by the Clop group is a perfect example of how devastating these can be.

Struggling to keep up

Defences, however, are not keeping pace. According to the MSSP Automation and Integration report, 65% of businesses saying SOC operations are losing time due to inefficient processes, 57% saying the Mean Time to Detect (MTTD) and MTTR are below goals, and 35% saying they do not have the best process or tools for building detection patterns. This presents MSSPs with a clear opportunity, with many organisations now turning to the channel to provide access to the latest technology to counter the ransomware threat.

The faster infiltration we’re seeing with ransomware attacks requires faster detection and defence, which is why it’s imperative that monitoring covers the entire information estate, from email to endpoints. Endpoint Detection and Response (EDR) is a tool that can help here as it continuously monitors all endpoint devices for threats that may get past traditional defence mechanisms such as anti-virus, anti-malware and firewalls. Analysis is carried out in real-time and incident response is carried out automatically to speedily mitigate threats and minimise the impact of an attack. EDR can therefore dramatically improve detection, reduce dwell time and increase Mean Time to Response (MTTR).

Yet many businesses cannot afford to invest in EDR, lack the expertise or resource to manage it. This makes it a prime technology for MSSPs to consider, with many looking to add it to their portfolio over the next 12-24 months, according to the report. The difficulty lies in being able to integrate such technologies with their current offerings. MSSPs don’t want to have to bolt together different technologies and dedicate the manpower to managing and customising these, all of which leads to higher overhead costs.

Integrating EDR

Monitoring end user devices, networks, applications, and firewalls is complex and even more so when using point solutions which have different ways of working. Over time, the addition of numerous technologies to the security stack has inevitably lead to siloed operations. Those overseeing these technologies then have to resort to swivel chair monitoring, logging into and reviewing alerts across numerous user interfaces. As these standalone technologies are not integrated, bringing together this information then requires the manual correlation of events and alerts.

A lack of interoperability can often be the reason a customer chooses to outsource to an MSSP due to the complexity involved but it can equally be an issue for the MSSP too. Increasingly, MSSPs are looking at how they can simplify the stack and this is now front of mind when it comes to investing in new technologies. So, when it comes to developing a ransomware-ready solution, MSSPs pre-integrated technologies and one example of this is virtual EDR integrated within the Security Incident and Event Management (SIEM).

A converged SIEM (sometimes referred to as a next generation SIEM) extends the traditional functionality of the SIEM by incorporating additional, complementary tool sets. Adding in EDR, for instance, sees log source analysis also incorporate EDR monitoring so that issues can be captured even earlier. Using agents deployed on the endpoints, data is fed back to the SIEM rather than a separate EDR server so that the EDR operates as another log source. This then means there is no need to extrapolate the threat data to explore the potential impact of a threat. Because this data is compared against the tactics, techniques and procedures (TTPs) outlined in the MITRE ATT&CK framework, this provides a more comprehensive form of monitoring across the network and its endpoints, reducing MTTD and MTTR.

The convverged SIEM can also integrate other threat hunting technologies such as Security Orchestration Automation and Response (SOAR) and User Entity and Behaviour Analytics (UEBA). SOAR brings together data from disparate sources and then uses automation to ingest and analyse alerts. It can prioritise threats, make recommendations and carry out automated actions including automated response through the use of pre-built and customised playbooks. Post-incident, it can also provide automated case management and reporting.

UEBA works by building baseline parameters of ‘normal’ behaviours that are tailored to each individual user. When behaviours then stray outside of these parameters, these are automatically flagged to security analysts for their review. So in the case of a ransomware attack, the exfiltration of data via a particular endpoint which went against that user’s usual work pattern would trigger an alert.

A combined effort

But integration doesn’t just reduce complexity, it also paves the way for the MSSP to take a less reactive and more proactive stance. Rather than being alert and event driven, the MSSP can offer more proactive services such as threat hunting and emerging threat detection. This is because assimilating these tools together enables far more effective endpoint interrogation and faster threat detection and incident response (TDIR). The event logs and flat files capture behaviour from systems and applications hosted on servers enabling forensic investigations and threat hunting to be carried out by the IR team. This means that, in the event of an attack, the logs can be used to determine how the attack gained access and moved across the network during the investigation.

As those endpoint logs and telemetry are being fed into the SIEM they can be enriched using contextual information from the MITRE ATT&CK framework to see which tactics, techniques and procedures were used. They can also be configured with compliance standards to save time and resources during audits.

MSSPs can and should be looking to extend their capabilities to address the ransomware threat but what they don’t want to end up with is a bloated resource-hungry stack. They need to expand their offerings but also need to reduce complexity so at some point have to adopt a convergent approach and combine functionality.

Convergence of complementary technologies promises to greatly emancipate MSSPs as they’ll no longer be as restricted when it comes to choosing which technologies to offer. Combining multiple threat hunting solutions over a single platform, for instance, ensures the MSSP remains competitive while gaining from much better network visibility, control and lower maintenance demands by using one solution - benefits they can then pass on to their customers.